from the while-one-politician-looks-to-stop-it dept

We've talked about procedures within the Defense Department to block computers from accessing the website for The Guardian newspaper -- along with similarly short-sighted moves to apply a sledgehammer approach to pretending that public information isn't really public. I've heard from a few people within the Defense Department who defend this approach on basic procedural grounds of trying to "make sure" that classified info remains classified, but the real problem is considering any publicly revealed documents as still classified. As I've said each time this debate comes up, in the business world, the equivalent situation involving trade secrets or non-disclosure agreements almost always are recognized as null and void if the info becomes public through other means.

However, that's not the way the government works. The latest is that Homeland Security sent around a memo warning employees that merely opening up a Washington Post article about some of the leaks might violate their non-disclosure agreement to "protect National Security Information," and it even says that merely clicking on the story might make the reader "subject to any administrative or legal action from the Government." Got that? Working for the government and merely reading the news about things the government is doing might subject you to legal action.

Stunning.

At least someone in Congress realizes the insanity of all of this. Rep. Grayson, who displayed the very same NSA slides that DHS is warning its employees about in Congress itself, has offered up an amendment to the Defense Appropriations Bill, stating that nothing in the defense appropriations should be used to block employees from reading the news on their own time.

None of the funds made available by this Act may be used to restrict the access of members of the Armed Forces to publically available online news media during morale, welfare, and recreation periods.

While this is one way to deal with the problem, I still think you solve a lot more problems with a basic recognition of reality: if classified documents become public, they shouldn't be considered classified any more, because (a) that's stupid and (b) it actually hinders the ability of government employees to be as knowledgeable as everyone else in the world. Also, Grayson's amendment only applies to the members of the armed forces, but not to civilian employees of the Department of Defense, or any employees of Homeland Security, who are subject to the crazy threats above.

Reader Comments

Hopefully it doesn't extend to their homes? I mean, the NSA would know, right?

In any case, I propose a crowdsourced campaign where we print those articles and the leaked documents and paste it in front of DHZ, FBI, NSA, CIA etc facilities and watch as they struggle to pretend they didn't see anything. That campaign against Llamar Smith that put the warn in a billboard in front of his office comes to mind ;)))

Re:

This is less about finding out about current events and more about the control of classified information. Despite the world and their dog knowing the classified stuff, accessing the information in the wild means putting classified information on a computer it isn't supposed to be on.

It's a government rule that has no exceptions for "widely distributed classified information."

Re:

They're aware of all the dissent due to the rampant violations of the Constitution and don't want to risk lowering the morale of those under their umbrella, much less risk more whistle-blowers raging against the machine.

I said this before and I'll say it again. We have two choices: freedom or slavery. One or the other. There is no such thing as a 'secure state with limited freedoms' -- that is a contradiction.

Re:

I don't think anyone questions this fact. It's what the governemnt feeds us. I think the article discusses the idea that this is akin to an ostridge putting its head in the sand and pretending the world doesn't exist.

Preventing your employees from viewing public-available "classified" documents is just like that.

Re:

Yeah, I think Mike made that pretty clear in the article.

Mike: "Even if it's the rule, it's a stupid rule that should be changed."AC: "But . . . but . . . it's a rule!"Mike: "As I said, the amendment is a step in the right direction, but it doesn't really fix the stupid rule."AC: "But . . . but . . . it's a rule!"

Sorry, but I just expected more

You know, the degree to which these departments stick their head in the sand about this is just phenomenal. Standard operating procedure...which contains what seems to be ZERO critical thinking. I seriously would expect more from those who have such a massive budget, coupled with (what they think) is a massive responsibility.

Block access to perfectly legitimate news sites - although any other non-government computer can freely access the information.

Threaten anyone who even *reads* about the leaks - so now they're concerned with what you read on your time...great.

Pretend that "classified" documents that the entire public has access to are still classified - this is the pinnacle of stupidity.

Seriously, someone, **SOMEONE** needs to apply *SOME* degree of logic at some point, because the current folks in charge are nothing short of incompetent.

Quote

You're thinking about it wrong.

You've got the wrong idea. Lets explore some hypotheticals. Corporations spy on each other all the time. Sometimes their inner dealings and development get revealed to the public. Other times they are deliberately leaked. At all times, the people within a corporation who are "in the know" are potential targets for industry spies of all kinds.

When you sign a non-disclosure agreement with a company, you agree to not disclose certain information to the public or any other entity. Now, let us suppose that you sign an NDA with a corporate development division. Let us also suppose that some of the work covered by NDA gets put out onto wikileaks. Now, those corporate spies are still out there, they still want even MORE information if they can get it. If they can catch one of the people who has signed an NDA online commenting on one of those articles, or even just reading it, you can actually learn more than just the leaked information alone.

The goal is information control, and everyone does it. When you sign away your rights to disclose certain information, the disclosure of that information cannot end your agreement, it just doesn't. Just because "fact A" was leaked, doesn't mean you want the people who knew "fact A" flooding websites from the same IP# subnets at the same time to all read about the press' opinion of classified "fact A". Doing so can very easily reveal to a publication who they should be questioning to find out more. Worse, that publication may literally have the corporate or state spies you are trying to avoid working for them, slipping that information to higher-ups.

SO YES, restricting the people who have voluntarily agreed to not disclose certain information from viewing said information online once it has been revealed to the public... IS ACTUALLY A VERY SMART THING TO DO.

Re: You're thinking about it wrong.

SO NO, restricting the people who have voluntarily agreed to not disclose certain information from VIEWING said information online once it has been revealed to the public... IS ACTUALLY A VERY STUPID THING.

Re: You're thinking about it wrong.

Smart in that it perpetuates fear among employees for visiting perfectly legitimate and LEGAL news outlets?

NEWS about the situation is not classified, despite what any of these morons think personally. If this kind of stipulation was put into any kind of NDA, then perhaps the legality of that document needs to come into question as well.

Re: You're thinking about it wrong.

You're idea of traffic patterns revealing interest in a topic is tantalizing, but still non sequitur to disclosure. Interest, even mass interest does not confirm or deny a report, it merely shows interest in that report. Taking interest in what the People are reading sounds almost like.... Caring coming from government functionaries. I agree Carimg does fly in the face of our policies in practice.

Re: Re: You're thinking about it wrong.

Re: Re: You're thinking about it wrong.

No it is not a non-sequitur.

The knowledge is classified.
The names of people who know said knowledge is also classified in many cases.

You oftentimes get surprised at finding your own secret info out there, but that doesn't mean you want to expose the entire story by having the entire crew who dealt with said issue to flood a website with their IP#s and tell whoever might want to get more information exactly who they need to investigate.

Re: You're thinking about it wrong.

Wrong! If the information is readily available, say Wikileaks, then reading an article about it is not going stop the leak, it has already happened. The NDA would cover leaking further information. This issue here is not leaking further information but reading about already leaked information. Also, to assess potential damage one may need to see what is being written in real time and what is actually available.

The idiotic policy of the DHS ignores the fact that most of the people who might view the news article probably do not know any specific details about leaked information. One of the very basic principles of information security is to limit access to the information. What you do not know or never have access to you can never leak.

For example, I know that signals are encrypted or encoded but do I need to know the details of how it is done? Only if my position requires me to decrypt or encrypt the signals and for this scenario I do not directly handle the encryption and I only see the final/initial plain text. So my reading about signal encryption will not harm signal security. Also, anyone approaching me about signal security will learn very little if I have only a vague idea of what is happening that could learned by reading Wikipedia. Now what I should not comment is the content of the signals to verify the accuracy of any plain text I know about.

Re: Re: You're thinking about it wrong.

Yes, what you've said are true, from the standpoint of most/sane people. However, there are other ways to look at the matter. For people dabbling with classified information, things are not as simple as that. I think Jeremy has eloquently explain how people managing classified information see things, and I found it entirely plausible. Please remember, these people are paid to be paranoid and want all things covered. What they want with these kind of policies are not dumbing down down their employees, nor forcing them to live in a fantasy land, but to stop further leaks.

I imagine these policies only enforced on workplace network. Those people can still access the said information as long as they're not using something which can be traced back to the workplace network. Rather than including those caveats in the policy, thus further complicating things for the morons-in-a-hurry masses, the policy writer just be done with it and made it like it's all encompassing.

So, you're right, from the standpoint of most people, it's a dumb move. But Jeremy is also right, from the standpoint of an information manager, it's a smart move.

Re: Re: You're thinking about it wrong.

Wrong! If the information is readily available, say Wikileaks, then reading an article about it is not going stop the leak, it has already happened.

You're entirely wrong, entirely incorrect. It's like you didn't even read what I wrote.

FACT A is leaked and reported on CNN
FACT A was known by PERSONS A B C and D
PERSONS A B C AND D go to CNN from corporate browsers, the same IP#'s, with DISQUS accounts, etc..etc..
Suddenly CNN knows everyone else who knew FACT A.
Any conclusions that may reveal FACT B C AND D that may be drawn from knowledge FACT A can now be refined simply by knowing the backgrounds of the people dealing with FACT A.

So yes, the leak IS NOT OVER when it gets reported, more information can be leaked just by having the wrong people viewing said information online. Why is this so difficult a concept to understand?

Re: You're thinking about it wrong.

Now, let us suppose that you sign an NDA with a corporate development division. Let us also suppose that some of the work covered by NDA gets put out onto wikileaks.

Literally every NDA I've ever signed (and I've signed a lot of them) has stipulated that if the information has been released to the public due to no fault of my own, then the NDA no longer covers that particular information and I am free to discuss it as I see fit.

Re: trying to 'make sure' that classified info remains classified

Greg (and Jeremy),

I think you're correct that asking employees to NOT read classified info, even when it's public, is not stupid. (Or not entierly stupid, anyway.) Random DoD employees/contractors shouldn't be making decisions about what is/isn't public "enough".

But - NOT DE-CLASSIFYING info as soon as it becomes public IS STUPID. Internal policy should be to routinely declassify things as soon as they become generally known. Otherwise you put people in impossible and stupid situations.

Also, don't forget that, to those who work professionally with classified info, THE FACT that certain info is public can be highly relevant to their work. If you're spying on a terrorist (I'm being charitable here) using Method A, it seems to me rather important to know that the Bad Guys already know about Method A, so maybe that won't work so well...

Re: Re: trying to 'make sure' that classified info remains classified

Not only the Americans but the British 'intelligence' services as well.

I was involved is designing devices to assist defeating IEDs (home made bombs). The whole topic was very hush hush, but people were so paranoid that we got to the situation that we(the designers of the kit to defeat these devices) were not allowed to be told what the devices were, as it was secret. The fact that the terrorists were using these devices and the intelligence services knew what the devices were, apparently made it MORE secret, as they didn't want the terrorists to know that they knew what devices they were using. Added to that the fact that we (the designers ) knew what these devices were through all sorts of publically available sources, made our conversations with the intelligence service totally bizarre.

Re: Re: trying to 'make sure' that classified info remains classified

"...to those who work professionally with classified info, THE FACT that certain info is public can be highly relevant to their work." I would assume that those who need to know what the 'terrorists' know, already know it.

"But - NOT DE-CLASSIFYING info as soon as it becomes public IS STUPID." I completely agree. I have no idea what procedure must be followed to declassify information, but I'm sure it's a pain in the ass, and gov't lawyers are probably involved. If I were an admin, and I had the choice to add one rule to an iptables chain or fill out a bunch of paperwork and talk to a gov't lawyer...

Why would someone with a security clearance be able to understand this better than someone without one? It doesn't comport with my experience, and I just took a few minutes to ask three coworkers with security clearances -- none of them could explain it, either. Their responses were more along the lines of "it's just considered best practice", not some kind of proof for why there's some kind of logic to it outside of the bureaucratic.

Re: Re:

OK, here's how it works. You are in an environment that handles classified information. You are in charge of the ordinary unclassified network. One of your greatest nightmares is the "data spill" where somehow classified information ends up on your unclassified network. Maybe it's as simple as somebody typing up and sending an email that has inappropriate information on it. Or it could be someone copying a document off the classified network and putting it on the wrong computer. Innocently or maliciously, who can tell.

So if that's your job, when you find something on your network that shouldn't be there, it has to be taken as a serious event. And it's a big hassle. Computers have to be seized, hard disks get wiped, users lose data. It's the only option.

OK, so now suppose that one of your users is web surfing the Guardian and downloads a document labeled secret, which, indeed, it actually is. Nevermind that it's been improperly released to the public, by all appearances it's a secret document. What are you supposed to do? Tell him that, well, that's OK, you can keep that one, because after all everybody knows that that one is OK? Not an option. How are you supposed to tell without examining every file that the document marked secret is OK? How do you know that the guy isn't the leaker? When another document shows up, what do you do with that one? Do you really want that responsibility? Nobody with any sense does.

So the sysadmins can either expose themselves to endless hassle on a daily basis or block the web site. Which would you do?

DHS is a religion

This is just further evidence that DHS policy has become a religion run by fanatics. They are trying to play GOD; the way GOD cast Adam and Eve from the Garden of Eden for eating the fruit of the Tree of Knowledge of Good and Evil (if you believe in that sort of thing), so will a DHS employee be cast from the cadre for learning about what their own agency is doing.

They want to maintain ignorance, because through ignorance they maintain control.

Grayson

> "None of the funds made available by this
> Act may be used to restrict the access of
> members of the Armed Forces to publically
> available online news media during morale,
> welfare, and recreation periods."

> While this is one way to deal with the problem

Actually that wouldn't deal with the problem at all, since Grayson's amendment only addresses members of the Armed Forces. The military falls under the Department of Defense. DHS is separate and wouldn't be affected by Grayson's amendment.

Re: Grayson

Actually that wouldn't deal with the problem at all, since Grayson's amendment only addresses members of the Armed Forces. The military falls under the Department of Defense. DHS is separate and wouldn't be affected by Grayson's amendment.

Snow Crash

The US government needs to stop relying on science fiction books for ideas, especially when those ideas are representative of the bad guys. 1984 was the basis of the NSA spying and Snow Crash is where they apparently get the basis for employee code of conduct.

As I've said each time this debate comes up, in the business world, the equivalent situation involving trade secrets or non-disclosure agreements almost always are recognized as null and void if the info becomes public through other means.

I won't mention names, but I've been personally implicated in violating a NDA by simply posting a link before. My point business can be as back-assword as government. It only happened once, and since it was obviously me stating what's already been said, I was only warned by corporate that my license was in jeopardy of being terminated. Trust me, corporations love hackers even if they are white hat.

These are all irrelevant arguments. You can't prosecute someone for not predicting and already knowing what was in the news article before they clicked on it. You are going to have argue in court that they were psychic knew the contents and went to read it only for the purpose of disseminating further information.